Vyatta Firewall Basics and Configuration
A few weeks ago, I installed Vyatta Open Source as a router internal to my network to see how it handled traffic between multiple subnets. To put it plainly, it worked like a champ! I put the router in place, assigned IP addresses to the NICs (network interface cards), and let the system do its thing. It now connects traffic between my physical network, my production virtual network, and my virtual lab running on ESX 3.5. I can easily manage most firewalls and routers that have a GUI but Vyatta presented a new challenge to me. In the case of this system, for some tasks it’s a lot easier to use the command line interface (CLI).
So without further ado, here’s the basics of Vyatta’s firewall.
Keep reading…
Each NIC on the Vyatta build can have 3 firewalls associated with it. By default, before you setup the firewalls, they are wide open, blocking no traffic at all. That’s right, all traffic is allowed through the NICs all ways, inbound, outbound, and local destined traffic.
As I mentioned Vyatta has 3 firewalls per NIC. These firewalls are inbound – traffic coming into the NIC to pass through to another IP or subnet, outbound – traffic leaving the NIC, and local – traffic destined for the NIC. Each of these firewalls can be configured to lock the NIC down, and after configuring the firewall, all traffic not included in firewall rules is now blocked, versus the default state of open. For example, if you configure a firewall rule to allow traffic passing through the firewall from a specific IP address, all other traffic will be blocked.
So we’ll use a scenario to explain it further. This scenario consists of 3 separate subnets – lab (192.168.50.0/24), production servers (192.168.60.0/24), and clients (192.168.70.0/24) on which is also connected to the Internet through a router/gateway. Vyatta is more than capable of filling the gateway router role as well, but this scenario is for internal use only. Vyatta is configured with 3 NICs, one will reside on each subnet. The following diagram illustrates the configuration and traffic.
It’s best to configure all of your rules using a text editor so that you can easily edit and modify rules and implement them all at once. As well as being able to have a handy backup of your router’s configuration.
We want the lab subnet (192.168.50.0/24) to be able to reach the client subnet (192.168.70.0/24) so it has Internet access, but not the production server subnet (192.168.60.0/24). We want the production server subnet to be able to reach the client subnet, again for Internet access, but not the lab subnet. We want the client subnet to be able to reach both the lab and the production server subnet. In addition, we want a specific IP address to be able to manage Vyatta from the client subnet, but no others.
We have 3 rule sets on each NIC, so our rule set for the lab subnet (NIC eth0) will be configured as:
set firewall name eth0InFilter rule 10 action accept
set firewall name eth0InFilter rule 10 source address 192.168.50.0/24
set firewall name eth0InFilter rule 10 destination address 192.168.70.0/24
set interfaces ethernet eth0 firewall in eth0InFilterset firewall name eth0OutFilter rule 10 action accept
set firewall name eth0OutFilter rule 10 action source address 192.168.70.0/24
set firewall name eth0OutFilter rule 10 action destination address 192.168.50.0/24
set interfaces ethernet eth0 firewall out eth0OutFilterset firewall name eth0LocalFilter rule 1000 action reject
set firewall name eth0LocalFilter rule 1000 source address 0.0.0.0/0
set interfaces ethernet eth0 firewall local eth0LocalFilter
Tip: I usually create rules in steps of 10 in case I need to go back and add a rule in the middle somewhere since firewall rules are first come / first served.
- The set firewall commands begin with assigning the action [accept|reject|drop].
- Next they assign the source as [address address|port port|mac-address mac-addr].
- After that, if necessary, they assign a destination as [address address|port port|mac-address mac-addr].
In the last line of each block, we assign the rule to the NIC by rule name defined in the previous lines and target [in|out|local].
Remember that in the beginning of this post I told you that unless a firewall rule is specified, that portion of the NIC (in|out|local) is wide open? So to address the local traffic, we are ‘reject’ing all from source address 0.0.0.0/0. You could also set the destination to the IP address of the NIC. I haven’t specifically tried this rule, but it should work either way. With this rule in place, all traffic directed to the IP address of this NIC should be rejected. You could also use ‘drop’ to have the router just drop the packets instead of resetting the connection.
Tip: When there are no matching rules, traffic is rejected. With this in mind, you could even set up a simple dummy rule that blocks port 80 traffic, ie. http traffic. With this rule in place, all other traffic on that that hits that firewall would be blocked as well. You would simply change rule 1000 for eth0LocalFilter source to:
set firewall name eth0LocalFilter rule 1000 source port 80
The rules for the production networks routing would be very similar to the rules above, as well as configuring rules from the client subnet to the other subnets. You can configure rules as you need them to allow traffic from one place to the other.
For restricting access to manage the Vyatta router to a specific IP address on a specific target NIC in the router, the following commands would be used for the example above:
set firewall name eth3LocalFilter rule 10 action accept
set firewall name eth3LocalFilter rule 10 source address 192.168.70.170
set firewall name eth3LocalFilter rule 10 destination address 192.168.70.100
set interfaces ethernet eth3 firewall local eth3LocalFilter
Machines using IP address 192.168.70.170 would be allowed traffic to 192.168.70.100, which is the Vyatta router, and therefore be allowed to manage it.
This, along with the documentation, should be enough to get you off the ground in getting your firewalls set up. Vyatta is a very powerful, enterprise ready product that can and should be used to secure your network if you can’t afford or don’t want to afford the likes of Cisco. I don’t know if Vyatta is on par with Cisco for performance, configuration, reporting, etc, but for the price, I’ll stick with Vyatta Community Edition for my network. 
Vyatta can be run in a virtual machine, can be downloaded as a VMware Workstation virtual appliance and then imported into ESX, can run directly on a multitude of hardware, and can even run directly from CD, without installing on a hard drive (though this configuration obviously does not allow you to save changes that you make in the router software.)
Make sure to check out Vyatta’s documentation. It is VERY thorough, but a little hard to read. The file you’re looking for in particular for firewall stuff is: Vyatta_SecurityRef_VC5_v03.pdf. You can download it directly from their site after filling out a short registration form. http://www.vyatta.com. While you’re there, pull down the rest of the docs too, since you’re filling out a form anyway. I’d post the doc on my site for your convenience, but it would likely be outdated quickly, and I don’t want to take any traffic or statistics away from Vyatta since registration is mandatory to download the docs. I filled out the registration forms for the downloads and have not seen a single piece of spam from Vyatta. 
Quick reference for the commands that I used:
[set|delete|show] firewall name name rule rule-num action [accept|reject|drop]
[set|delete|show] firewall name name rule rule-num source [address address|port port|mac-address mac-addr]
[set|delete|show] firewall name name rule rule-num destination [address address|port port|mac-address mac-addr]
[set|show] interfaces ethernet ethX firewall [in|out|local] name
Items in italics are input variables. Items between brackets [] are parameters.
I hope this post helps someone to understand Vyatta’s CLI (command line interface) in regards to setting up the firewalls. Also remember that all of this needs to be done in configure mode and commit needs to be run after changes have been made.
Good luck and happy networking. If you run into trouble, post here and I’ll try to respond ASAP. If this article works out well for you, let me know too.
About the author
- More at
Social comments and analytics for this post…
This post was mentioned on Twitter by cdelarge: Blog Post: Vyatta Firewall Basics and Configuration http://bit.ly/cTJzG #vyatta #networking #firewall…
Can you please provide the full set up of nat & firewall.
@Neil, I don’t have a completely built out Vyatta front system, and I haven’t upgraded to 6.0 yet. Are you looking to use this as a front firewall? If you give me the setup that you’re looking for, I’ll try to script one out for you, but it may take some time.
Hi Clement DeLarge,
I have 2 internet connections. I want to make avail both of these connections to my LAN.
How can I do it?
Thanks.
@NJoshi: That’s a good question… not one that I’ve had to deal with very often. Why do you want to use both internet connections? Are you looking to use them to back each other up or are you trying to bridge the connection to double your bandwidth? Or something else?
I’m not sure if/how you can do it with Vyatta if you’re attempting to bridge the connections, and since I haven’t done something like this with Vyatta, I’m going to have to give you a rough explanation that is based on general networking.
If you’re looking to load balance your network and internet connections, you can use Vyatta to set up to setup 2 separate subnets, each with their own independent IP configurations and use Vyatta to provide both internet connections as separate gateways for each subnet. You can also use Vyatta to allow requests to bounce back and forth between the subnets. This would allow you to have half of your systems on one internet connection and half on the other. So subnet A would use subnet A’s gateway for Internet access and subnet B would use subnet B’s gateway. Then you could configure subnet B’s gateway as an alternate gateway for subnet A and vice versa which would give you redundancy. If one of the gateways dropped, you’d be able to use the gateway of the alternate automatically.
As a variation, you could also put both gateways on the same subnet, along with all of your clients, and when configuring your clients, have some use gateway A and others use gateway B, and configure the alternates on the clients so that again redundancy is provided.
As far as bridging the connections to combine the bandwidth, I’m not sure whether Vyatta supports that or not. Effectively, whatever appliance that you are using would need to be smart enough to send traffic out on either internet connection, and manage the returns, turning Vyatta from a router into a load balancer. I’m just not sure whether that configuration is supported by the product or not. If I get some time, I’ll dig into it and see if I can find it in the docs, but off-hand, I haven’t seen the product used in that way.
Hope this helps, or if you have any further specs that you want to give me to fit your scenario, let me know.
Again, hope this helps. If you do come up with something, please post back.
Hi Clement DeLarge,
I have a major problem with vyatta. I recently installed it and configured it as router on my network, I used it to route the internet. I configured the webproxy and content filtering and I notices that it prevents anyone from downloading their email attachment(s). I tried everything to fix this but so far i’m unsuccessful in all my attempts. Is there a way I can solve this problem?
Thanks.
Oh by the way I am using VC6
@Jason: Your users’ email attachments are not downloading? Are these internal users downloading from a server on the Internet? What email client are they using or is this through a web browser? If your users are using something like MS Outlook, can they download attachments using OWA or from email services like gmail, hotmail, etc? Or are all attachment downloads being blocked?
The users email is external…yahoo…gmail…hotmail etc….thats where they’re downloading their attachments from…yes its through the web browser….there are no internal email setup here in the computer lab…whenever you try to download an attachment from you email (external) it brings up the dialogue box and when you click it to either open or save it nothing happened, it just disappears and thats it.
@Jason: I’ll try to play around with it and see what I can come up with. It might be something you configured in content filtering.
@Jason: Can you either post or send me a copy of your config commands with any confidential settings pulled out or X’ed? I just sent you an email in case you want to email it instead of post it.
Quick things to check out are web content filtering settings and if you have Vyatta’s IPS enabled, though I don’t think that would cause a problem, you may want to try disabling and see if that helps.
Here is a copy of the entire configuration.
vyatta@vyatta# show -all
firewall {
all-ping enable
broadcast-ping disable
conntrack-table-size 32768
conntrack-tcp-loose enable
ip-src-route disable
ipv6-receive-redirects disable
ipv6-src-route disable
log-martians enable
name WAN_IN {
default-action drop
rule 10 {
action accept
description Allow-Access-to-HTTP
destination {
address 192.168.x.x
port 80
}
protocol tcp
}
rule 20 {
action accept
description Allow-MSTSC-Access
:
firewall {
all-ping enable
broadcast-ping disable
conntrack-table-size 32768
conntrack-tcp-loose enable
ip-src-route disable
ipv6-receive-redirects disable
ipv6-src-route disable
log-martians enable
name WAN_IN {
default-action drop
rule 10 {
action accept
description Allow-Access-to-HTTP
destination {
address 192.168.x.x
port 80
}
protocol tcp
}
rule 20 {
action accept
description Allow-MSTSC-Access
destination {
address 192.168.x.x
port 3389
}
log enable
protocol tcp
}
rule 30 {
action accept
description NAT-For-Lan
destination {
address 192.168.x.x
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 192.168.2.6/24
description “Internal LAN”
duplex auto
hw-id 00:0d:87:53:94:44
smp_affinity auto
speed auto
}
ethernet eth1 {
address dhcp
description “External WAN”
duplex auto
firewall {
in {
name WAN_IN
}
}
hw-id 00:e0:4c:36:c1:a2
smp_affinity auto
speed auto
}
loopback lo {
}
}
protocols {
static {
}
}
service {
https
nat {
rule 10 {
destination {
address 0.0.0.0/0
}
outbound-interface eth1
protocol all
source {
address 192.168.x.x/24
}
type masquerade
}
rule 20 {
destination {
address 192.168.x.x
port 80
}
inbound-interface eth1
inside-address {
address 192.168.x.x
port 80
}
protocol tcp
type destination
}
rule 30 {
destination {
address 192.168.x.x
port 3389
}
inbound-interface eth1
inside-address {
address 192.168.x.x
port 3389
}
protocol tcp
type destination
}
}
ssh {
port 222
protocol-version v2
}
telnet {
port 23
}
webproxy {
cache-size 1000
default-port 3128
listen-address 192.168.x.x {
disable-transparent
}
url-filtering {
squidguard {
allow-ipaddr-url
auto-update {
update-hour 12
}
block-category proxy
block-category porn
block-category reaffected
block-category redirector
block-category remote-control
block-category strict_redirector
block-category strong_redirector
block-category violence
block-category warez
block-category phishing
block-category mixed_adult
block-category manga
block-category malware
block-category hacking
block-category games
block-category gambling
block-category filehosting
block-category drugs
block-category dating
block-category dangerous_material
block-category chat
block-category aggressive
block-category adult
block-category ads
block-category audio-video
block-category agressif
default-action allow
local-block facebook.com
local-block tagged.com
local-block twitter.com
local-block hi5.com
local-block myspace.com
local-block vibesconnect.com
local-block-keyword game
local-block-keyword games
local-ok youtube.com
local-ok yahoo.com
log all
redirect-url http://192.168.x.x/cgi-bin/squidGuard-simple.cgi?targetclass=%t&url=%u
}
}
}
}
system {
domain-name technology-lab.edu
host-name vyatta
login {
user vyatta {
authentication {
encrypted-password $1$g1RaCJXt$QWiZJWB6xItkH/ljZzDTn1
}
level admin
}
}
name-server 192.168.x.x
ntp-server 0.vyatta.pool.ntp.org
package {
auto-sync 1
repository supported {
components main
distribution stable
password “”
url http://packages.vyatta.com/vyatta-supported
username “”
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone GMT
@Jason: Looking at your configuration, it looks fine. I haven’t had the chance to plug it in yet, but will try on Thursday if I can’t get to it before then and you haven’t found the solution. From looking at how things have been working, I believe Vyatta is not liking something in the URL of the attachment downloads. Has anything shown up in the logs? (Firewall, WebProxy, or SquidGuard?)
I’d say the next step in troubleshooting would be to check the webproxy log and squidguard, and if nothing shows up there. You should be able to see the URL that is being accessed via the webproxy log. If that doesn’t work, then enable logging on the firewall rules for long enough to see if the block/deny shows up.
If you bypass Vyatta and use a tool like netmon, it should also allow you to see what’s happening with the attachment URLs that is different than the standard browsable. It may have something to do with IP addresses being embedded in the URLs as I know some webproxies don’t allow that since the IP address may allow bypassing of blacklists.
If that is the issue, you can add exceptions for the IPs associated with those download sites or there may be a setting on the webproxy that I haven’t found yet that will allow for IP addresses to be used in URLs.
Again, I’ll stand this up as soon as I can and get back to you.
If you get past it or find out any new info, let me know.
Good luck.
Hey guess what? I finally get it to work and I did even before I sent you that previous message….should have mentioned but I was so busy I didn’t even remember and besides that, I have no idea what I did to ge it work. lol.
The only thing I remember doing last was just to put in the domain name and the name server ip address thats all…and from after that I randomly decided to check it again and there; I was able to download attachments without no troubles.
If you double check the vyatta configuration I sent you earlier, you will notice I put in the name of my domain as well as the name server ip address….i’m not 100% sure if thats the case that made it work, but I am yet to do some more tests on another pc to find out if thats what really works.
Again thanks for all the assistance you gave me and we’ll keep in touch.
1. How do i reset or clear the vyatta web caching.
2. Why does the internet seems to slow down a few days after vyatta web caching has been configured and was browsing quite fast. Is there a way to get around this?
3. I set the web cache size to 1000MB (1GB) is that enough? or the more I increase it to the better it is and the faster the internet browse?
4. If i increase the web cache size to say 5000MB (5GB) will it perform any better?